Certified Cloud Security Professional Study Guide Chapter 7 Review Questions (Ben Masilow) Flashcards

1
Q

Which of the following best represents the REST approach to APIs?

A. Built on protocol standards
B. Lightweight and scalable
C. Relies heavily on XML
D. Only supports XML output

A

B. Lightweight and scalable

Explanation:
The other answers all list aspects of SOAP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Which of the following is not commonly included in the phases of SDLC?

A. Define
B. Reject
C. Design
D. Test

A

B. Reject

Explanation:
The other answers are all possible stages used in software development

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Which of the following is not a component of the STRIDE model?

A. Spoofing
B. Repudiation
C. Information Disclosure
D. External pen testing

A

D. External pen testing

Explanation:
The other answers all include aspects of the STRIDE model

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Which of the following best describes SAST?

A. White-box testing
B. Black-box testing
C. Gray-box testing
D. Read-team testing

A

A. White-box testing

Explanation:
A SAST involves source code review, often referred to as white-boxing testing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which of the following confirms that the identity assertion belongs to the entity presenting it?

A. Identification
B.Authentication
C. Authorization
D. Inflammation

A

B.Authentication

Explanation:
This is the definition of authentication

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Which of the following best describes a sandbox?

A. An isolated space where transactions are protected from malicious software
B. A space where you can safely execute malicious code to see what it does
C. An isolated space where untested code and experimentation can safely occur separate from the production environment
D. An isolated space where untested code and experimentation can safely occur within the production environment

A

C. An isolated space where untested code and experimentation can safely occur separate from the production environment

Explanation:
Options A and B are also correct, but C is more general and incorporates them both.
D is incorrect because sandboxing does not take place in the production environment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Identity and access management (IAM) is a security discipline intended to ensure __________

A. All users are properly authorized
B. The right individual gets access to the right resources at the right time for the right reasons
C. All users are properly authenticated
D. Unauthorized users will get access to the right resources at the right time for the right reasons

A

B. The right individual gets access to the right resources at the right time for the right reasons

Explanation:
Options A and C are also correct, but included in B, making B the best choice.
D is incorrect because we do not want unauthorized users gaining access.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

In a federated identity arrangement using a trusted third-party model, who is the identity provider and who is the relying party?

A. A contracted third party/the various member organizations of the federation
B. The users of the various organizations within the federation/a CASB
C. Each member organization/a trusted third party
D. Each member organization/each member organization

A

A. A contracted third party/the various member organizations of the federation

Explanation:
In a trusted third-party model of federation, each member organization outsources the review and approval task to a third party they all trust.
This makes the third party the identifier (it issues and manages identities for all users in all organizations in the federation), and the various member organizations are the relying parties (the resource provides that share resources based on approval from the third party)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Which of the following best describes the Organizational Normative Framework (ONF)?

A. A container for components of an applications’ security controls and best practices cataloged and leveraged by the organization
B. A framework of containers for all components of application security controls and best practices cataloged and leveraged by the organization
C. A subset of application security controls and best practices cataloged and leveraged by the organization
D. A framework of containers for some of the components of application security controls and best practices catalogued and leveraged by the organization

A

B. A framework of containers for all components of application security controls and best practices cataloged and leveraged by the organization

Explanation:
Option A is incorrect because it refers to a specific applications security elements, meaning it is about an ANF, not the ONF.
C is true, but not as complete as B, making B the better choice.
D suggests that the framework contains only “some” of the components, which is why B (which describes “all” components) is better.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

APIs typically are built with REST or ______

A. XML
B. SSL
C. SOAP
D. TEMPEST

A

C. SOAP

Explanation:
REST and SOAP are two common ways to build APIs.
Although SOAP is based on XML, SOAP is more accurate.
The other two answers are not used for making APIs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

The ANF is best described as which of the following?

A. A standard-alone framework for storing security practices for the ONF
B. A subset of the ONF
C. A superset of the ONF
D. The complete ONF

A

B. A subset of the ONF

Explanation:
Remember, there is a one-to-many ratio of ONF to ANF; each organization has one ONF and many ANFs (one for each application in the organization)
Therefore, the ANF is a subset of the ONF

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Which of the following best describes SAML?

A. A standard for developing secure application management logistics
B. A standard for exchanging authentication and authorization data between security domains
C. A standard for exchanging usernames and passwords across devices
D. A standard used for directory synchronization

A

B. A standard for exchanging authentication and authorization data between security domains

Explanation:
Option C is also true, but not as comprehensive as B
A and D are simply not true

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Which of the following best describes the purpose and scope of ISO/IEC 27034-1?

A. Describes international privacy standards for cloud computing
B. Provides an overview of application security that introduces definitive concepts, principles, and processes involved in application security
C. Serves as a newer replacement for NIST 800-53 r4
D. Provides an overview of network and infrastructure security designed to secure cloud applications

A

B. Provides an overview of application security that introduces definitive concepts, principles, and processes involved in application security

Explanation:
Option B is a description of the standard; the others are not

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Which of the following terms means “to perceive software from the perspective of the attacker in order to locate/detect potential vulnerabilities”?

A. Rendering
B. Galloping
C. Agile
D. Threat modeling

A

D. Threat modeling

Explanation:
This is the definition of threat modeling

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Database activity monitoring (DAM) can be ______

A. Host-based or network-based
B. Reactive or imperative
C. Used in the place of encryption
D. Used in place of data masking

A

A. Host-based or network-based

Explanation:
We do not use DAM in place of encryption or masking; DAM augments these options without replacing them
“Reactive or imperative” has no meaning in this content, and is only a distractor

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

WAFs operate at OSI Layer _______

A. 1
B. 3
C. 5
D. 7

A

D. 7

Explanation:
WAFs operate at Layer 7 of the OSI model

17
Q

Multifactor authentication consist of at least two items.
Which of the following best represents this concept?

A. A complex password and a secret code
B. Complex passwords and an HSM
C. A hardware token and a magnetic strip card
D. Something you know and something you have

A

D. Something you know and something you have

Explanation:
Option D is the best, most general and most accurate answer

18
Q

SOAP is a protocol specification for providing for the exchange of structured information or data in web services.
Which of the following is not true of SOAP?

A. Standards-based
B. Reliant on XML
C. Extremely fast
D. Works over numerous

A

C. Extremely fast

Explanation:
The other answers are true of SOAP

19
Q

DAST requires ______

A. Money
B. Compartmentalization
C. A runtime environment
D. Recurring inflation

A

C. A runtime environment

Explanation:
DAST requires a runtime environment
All tests require money, so A is incorrect
Compartmentalization and inflation have no meaning in this context and are just distractors

20
Q

Physical sandboxing provides which of the following?

A. The production environment
B. An airgapped test environment that isolates untrusted code for testing in a nonproduction environment
C. Emulation
D. Virtualization

A

B. An airgapped test environment that isolates untrusted code for testing in a nonproduction environment

Explanation:
Physical sandboxing creates a test environment completely isolated from the production environment